Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. Get Started
  2. Products/Concepts
  3. Advanced Security

Features and Capabilities

JFrog Advanced Security extends Xray beyond traditional vulnerability detection to deliver high-fidelity, developer-ready security findings across source code, binaries, containers, and infrastructure—reducing noise, prioritizing what is truly exploitable, and enabling automated enforcement throughout the SDLC.

CVE Contextual Analysis and Reachability

Traditional scanners often generate large CVE lists with limited guidance on what truly impacts your software. Advanced Security adds contextual, code-aware analysis that determines whether a vulnerability is applicable based on how your first-party code actually uses third-party libraries—surfacing evidence and justification developers can act on.

Capabilities include:

  • Contextual CVE applicability – Determines whether a CVE is exploitable in the context of the scanned code/artifact (Applicable / Not Applicable / Undetermined, etc.).
  • Reachability analysis with evidence – Identifies reachable paths and justifies why a CVE was flagged, helping developers validate and remediate efficiently.
  • Transitive dependency analysis – Shows call chains that reach vulnerable functions through dependencies-of-dependencies, with direct vs. transitive views and call graph visualization.
  • Delivery in developer workflows – Results available in the Platform scan results, IDE, CLI, and PR decoration (Frogbot).
  • Research-backed coverage expansion – Contextual scanners are built by JFrog Security Research; Advanced Security customers can request prioritization for CVEs lacking contextual coverage.

→ Learn more:

Contextual Analysis of CVEs

Transitive Dependency Analysis

Secrets Detection and Token Validation

Advanced Security helps prevent accidental exposure of sensitive credentials by scanning for secrets in both source code and binary artifacts, with optional token validation to distinguish active from inactive credentials.

Capabilities include:

  • Secrets scanning across SDLC – Detection integrated into IDE, CLI, Frogbot, and the JFrog Platform for real-time and pipeline feedback.
  • Broad secret coverage – Access tokens/keys, high-entropy textual secrets, embedded URL credentials, and certificate/private key issues (including expired/self-signed and private keys in certs).
  • Dynamic token validation – Validates supported token types by authenticating against providers to classify tokens as Active/Inactive/Unsupported/Unavailable (public SaaS endpoints).
  • False-positive reduction heuristics – Reduces noise via patterns, directory heuristics (e.g., documentation paths), and other filters.

→ Learn more:

Secrets Scans

Custom Secrets Scanner

Token Validation

Misconfiguration Scanning

Advanced Security identifies security misconfigurations that can expose applications and infrastructure—helping teams strengthen posture early and enforce compliance as code moves from development to production.

Capabilities include:

  • IaC security analysis (Terraform) – Scans modules, plan files, and (post-deploy) state files stored in Artifactory to detect cloud misconfigurations across AWS, Azure, and GCP.
  • Services configuration scanning – Detects misconfigurations in common services found in containers (e.g., web servers, proxies, databases) to ensure secure-by-default configuration.
  • Application library misuse detection – Identifies insecure usage patterns and misconfigurations in supported runtimes (Python and Node.js), such as weak crypto and unsafe execution patterns.
  • Actionable severity and prioritization – Focus on real security risk with severity ratings to reduce low-impact noise.

→ Learn more:

Misconfigurations Scans

IaC Scans

Services Scans

Applications Scans

SAST

JFrog Advanced Security includes a local, developer-centric SAST engine designed for fast feedback, low noise, and actionable remediation—supporting broad language coverage and deep cross-file/data-flow analysis.

Capabilities include:

  • Local scanning for privacy and speed – Runs on developer workstations and CI servers without requiring source upload.
  • Cross-file, cross-module data flow analysis – Traces data from source to sink to improve accuracy and reduce false positives.
  • OWASP Top 10 and beyond – Comprehensive rule coverage mapped to industry standards.
  • Workflow integration – IDE, CLI, Frogbot, and policy enforcement through the JFrog Platform.
  • Ignore stability via fingerprinting – Resilient ignore behavior that avoids resurfacing findings due to non-functional code changes.

→ Learn more:

SAST

SAST Language Support

SAST Rules

Advanced Security Reporting

Advanced Security provides aggregated reporting to help security and engineering teams understand and prioritize risk across artifacts, builds, and release bundles.

Capabilities include:

  • Exposures reporting – Aggregates findings and highlights where vulnerable or insecure components are actively invoked, prioritizing exploitable risk over theoretical listings.
  • Export and automation via APIs – Generate, retrieve, export, delete, or abort reports through supported REST APIs.

→ Learn more:

Advanced Security Reports

Exposures Report

Updated 2 months ago